nifinifi-1.14.0-RC2: 2 vulnerabilities (highest severity is: 7.9) - autoclosed

[mend-for-github-com[bot]]

Vulnerable Library - nifinifi-1.14.0-RC2

Apache NiFi

Library home page: https://github.com/apache/nifi.git

Vulnerable Source Files (1)

/nifi-nar-bundles/nifi-standard-bundle/nifi-jolt-transform-json-ui/src/main/webapp/app/transformjson/transformjson.controller.js

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (nifinifi version)	Remediation Possible**	Reachability
CVE-2023-49145	High	7.9	nifinifi-1.14.0-RC2	Direct	org.apache.nifi:nifi-jolt-transform-json-ui:1.24.0,2.0.0-M1	❌
CVE-2024-37389	Medium	4.6	detected in multiple dependencies	Direct	rel/nifi-1.27.0,rel/nifi-2.0.0-M4	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-49145

### Vulnerable Library - nifinifi-1.14.0-RC2

Apache NiFi

Library home page: https://github.com/apache/nifi.git

Found in base branch: main

### Vulnerable Source Files (1)

/nifi-nar-bundles/nifi-standard-bundle/nifi-jolt-transform-json-ui/src/main/webapp/app/transformjson/transformjson.controller.js

### Vulnerability Details

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.

Publish Date: 2023-11-27

URL: CVE-2023-49145

### CVSS 3 Score Details (7.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2023/11/27/5

Release Date: 2023-11-27

Fix Resolution: org.apache.nifi:nifi-jolt-transform-json-ui:1.24.0,2.0.0-M1

CVE-2024-37389

### Vulnerable Libraries - nifinifi-1.14.0-RC2, nifinifi-1.14.0-RC2, nifinifi-1.14.0-RC2

### Vulnerability Details

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.

Publish Date: 2024-07-08

URL: CVE-2024-37389

### CVSS 3 Score Details (4.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://seclists.org/oss-sec/2024/q3/29

Release Date: 2024-06-08

Fix Resolution: rel/nifi-1.27.0,rel/nifi-2.0.0-M4

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.